We explain the implications for operational resilience for firms using outsourcing and other third party service providers, and what we expect from them.
- Operational resilience and third party providers
- How we define outsourcing and third party service supply
- Existing expectations on outsourcing and third party provision
- Material, critical or important outsourcing notifications
- Intra-group outsourcing
- Outsourcing and data security
- Outsourcing of portfolio management: list of cooperation agreements
- Risk management of outsourcing
- Cloud outsourcing
- FG16/5: Guidance for firms outsourcing to the ‘cloud’ and other third party IT services
- ESA Level 3 Guidelines on outsourcing, including cloud
- Who the EBA outsourcing guidelines apply to
Firms increasingly depend on third party providers and outsourcers. This means firms need to effectively manage these providers to reduce the risk of operational disruption and harm to their consumers.
We expect your firm to be operationally resilient by having a comprehensive understanding and mapping of the people, processes, technology, facilities and information necessary to deliver each of your important business services. This includes people and other dependencies such as third parties. Your firm should assess the risks and controls in place to ensure it is operationally resilient.
The FCA’s Handbook Glossary sets out the definition of outsourcing. In most instances, a firm would be outsourcing when they are involved in an arrangement where a service provider performs a process, service or activity on behalf of a firm which the firm would otherwise carry out itself. So, for example, a firm can outsource the hosting of a data centre or business process to a third party.
But third parties can also provide services that are not classed as outsourcing. For example, the acquisition of services that would otherwise not be undertaken by the firm such as the provision of vending machines, the purchase of office supplies and furniture, cleaning, statutory audit and legal representation in court. Other services such as global network infrastructures (e.g. Visa, MasterCard), the buying of standard "off-the-shelf" software, or the purchase of market information services (e.g. provision of data by Bloomberg, Standard & Poor’s) should not be considered as outsourcing.
A firm’s arrangements with third parties falling outside the definition of ‘outsourcing’ may not be subject to specific requirements on outsourcing. They are however within the scope of the FCA’s rules and guidance, particularly on governance, risk management and systems and controls. For more information please see Existing expectations on outsourcing and third party provision below.
Firms who use these providers must take reasonable care to organise and control their affairs responsibly and effectively, with adequate risk management systems. Principle 3 and SYSC 1.2.1 in our handbook explain this further.
Different requirements and guidance apply to different types of firms and may also depend on the type of function being outsourced. For example, whether the function being outsourced is considered critical or important, is material outsourcing, or involve important operational functions. These specific terms apply to different types of firms and are explained in the Handbook (e.g. SYSC 8 and 13), the Electronic Money Regulations 2011, the Payment Services Regulations 2017, the directly applicable MiFiD II Org Regulation covering organisational requirements and the European Supervisory Authority (ESA) Outsourcing Guidelines. For further guidance on applying the Handbook, see the detailed application provisions and summary in SYSC 1, Annex 1 and SYSC 1.1A respectively.
Firms who use outsourced and other third party service providers should take responsibility for managing risk arising from those arrangements. Greater levels of risk management are needed when a firm increases its dependence on outsourced and third party service providers. This includes the delivery of services that could affect the firm’s ability to remain authorised. The risks of potential harm from operational disruption can change over time and firms should manage it accordingly.
The requirements include identifying and managing the associated operational risks throughout the life span of third party arrangements from beginning to end.
We expect firms to be risk-based and proportionate, considering the nature, scale and complexity of their operations when meeting their obligations for outsourcing and third parties.
Firms are required to provide us with information to enable us to monitor their compliance with regulatory obligations. Compliance with Principle 11 includes a firm disclosing to us anything relating to the firm which may have a serious regulatory impact (SUP 15.3.8). This includes notification and reporting requirements on critical, important or material outsourcing (SYSC 8.1.12) and (SYSC 13.9.2).
Intra-group outsourcing, is when a firm enters into an outsourcing arrangement with a company in the same group, including cross-border outsourcing to parent or sibling companies outside the UK. Firms with intra-group outsourcing arrangements are required by outsourcing legislation, and the FCA rules, to meet the same requirements as outsourcing to an external third party. Firms should not treat it as being less risky, or as not being subject to outsourcing requirements. Firms may consider the extent to which they influence and control their third-parties, where those parties are members of the same group so that risks can be identified and managed effectively.
We expect firms to manage the amount of data being stored, processed or transmitted by third party providers on behalf of the firm, and how critical to operations that data is. This includes how firms configure and monitor their services to reduce security and compliance incidents.
Firms should implement an appropriate level of security to protect outsourced data, including for relevant data protection requirements and ESA guidelines that are separate from the FCA Handbook.
MiFID investment firms can use this list to assess their compliance with Article 32(1) of the MiFID Org Regulation. Firms should also consider the outsourcing requirements at Articles 30 and 31 of the MiFID Org Regulation and in SYSC 8 of our Handbook.
Your firm should have appropriate risk management systems and controls to manage the risks associated with the provider, including:
- the risk management of third party relationships, whether counted as outsourcing or not, eg SYSC 3.1.1R and SYSC 4.1.1R as set out in our Senior Management Arrangements, Systems and Controls (SYSC) sourcebook
- assessing whether your firm’s third party arrangements fall within the scope of the definition of outsourcing so that you identify the correct rules and guidance
- ensuring your firm effectively follows the relevant rules and guidance
- effectively apply the rules and guidance through the extended supply chain
Your firm is responsible and accountable for all the regulatory responsibilities that apply to outsourcing and third party service arrangements. Firms cannot delegate any part of this responsibility to a third party.
We view the provision of cloud services for the delivery of important business functions as a form of (potentially material outsourcing). Firms can use cloud services, if they comply with our rules.
Finalised Guidance 16/5 clarified the requirements for firms when outsourcing to the cloud and other third party IT services. Since publishing FG16/5, the EBA finalised its own outsourcing cloud recommendations (EBA/REC/2017/03) and has included them in wider outsourcing guidelines (EBA/GL/2019/02). We have amended the scope of the firms that FG16/5 guidance applies to, so that firms subject to the EBA guidelines do not have to follow both. FG16/5 applies to all other firms.
We engage with all 3 ESAs on the supervision of EU financial markets. These are the European Banking Authority (EBA), the European Insurance and Occupational Pensions Authority (EIOPA) and the European Securities and Markets Authority (ESMA). Our general approach to ESA Level 3 materials (eg the ESA Guidelines) with regard to Brexit was confirmed in the FCA’s Brexit Policy Statement (PS19/5) published in February 2019.
Following the finalisation of the EBA’s guidelines on outsourcing (EBA/GL/2019/02) in February 2019, which also included the EBA’s final report on cloud recommendations (EBA/REC/2017/03), we notified the EBA that we will comply with the EBA guidelines on outsourcing. In line with our approach to Level 3 materials set out in PS19/5, we expect firms to continue to comply with the guidelines, to the extent they remain relevant, now that the UK has left the EU. See our approach to EU non-legislative materials.
The EBA outsourcing guidelines (EBA/GL/2019/02) apply to credit institutions and investment firms subject to the EU Capital Requirement Directive (2013/36/EU). These are banks, building societies and IFPRU investment firms as defined in our Handbook. The Guidelines also app ly to payment institutions and electronic money institutions. They do not apply to Account Information Service Providers that only provide the service in point 8 of Annex I of PSD2.
The guidelines came into force on 30 September 2019 for outsourcing arrangements including those started, reviewed or amended on or after this date. There are also transitional arrangements covering cooperation agreements extending up to 2021, a register of outsourcing and the review of existing ‘critical or important’ outsourcing arrangements entered into before 30 September 2019.
Firms are not expected to report to us on their progress towards meeting the timeline of 31 December 2021 in the EBA Guidelines regarding legacy outsourcing arrangements. Firms should aim to review any outstanding critical or important outsourcing arrangement at the first appropriate contract renewal following the first renewal date of each existing outsourcing arrangement or revision point. Where arrangements of critical or important outsourcing arrangements have not been finalised by 31 March 2022, firms should inform us. This timeframe aligns with that of our final operational resilience policy (PS21/3) and our approach to these guidelines aligns with that of the PRA. For further information on the PRA’s approach, see PS7/21.